Subject: Re: [xacml] Re: "else" is what ? Was:Re: [xacml] Generalizing on-permit-apply-second
Hi Bill, On 24/05/2013 10:35 AM, William Parducci wrote:
On May 23, 2013, at 5:23 PM, Steven Legg <firstname.lastname@example.org> wrote:Hi Bill, On 24/05/2013 1:58 AM, Bill Parducci wrote:If there is a condition in any given PolicySet that could preclude the inclusion of any another PolicySet, it seems that there would be the possibility of conflict. I have not thought about this in depth, but it seems possible that PolicySet A could have a condition that fires excluding PolicySet B which concurrently has a condition that fires, excluding PolicySet A.The only way I can see that being possible is if the policy sets include each other by reference, either directly or indirectly. Such a construction is an error according to the XACML core. As children of the same policy set with the on-permit-apply-second combining algorithm, only the first child has the power to exclude the second and/or third child. The second and third children can't exclude each other or the first child. StevenOk. So to make sure that I am fully grasping this, the proposal is that this new mechanism only applies to PolicySets (not Policies)
Correct. The on-permit-apply-second combining algorithm is only defined as a policy combining algorithm.and that these PolicySets will have a new requirement that Policy order is required to be maintained within them. Is this correct?
Yes, the order is significant (even in the current draft). Regards, Steven